Wednesday, March 09, 2011
This month I gave a similar talk to two user groups. The OWASP Wellington (and Auckland over video conference), and the Wellington .NET user group both invited me to speak on: "I know what you did last summer; The latest from the world of web hacks".

This was a fun talk to deliver. The focus was on recent web 'hacks' that had occurred in the past few months (I used a pretty general definition of 'hack'), but the main discussion was around the lessons that we could learn from these issues and what we could draw back into our own projects.

I think this talk had the most amount of interaction out of any of my previous talks. There was lively discussion about what the root cause of the problem was, whether it was even fixable at all, and we lamented the effects of 'users' :)

Since the .NET talk was a superset of the OWASP one (it was longer), I've included those slides below:

2011-03-09-WellingtonNet.pdf (2.07 MB)

Thanks for coming!

Kirk
posted on Wednesday, March 09, 2011 8:17:00 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Wednesday, September 29, 2010

Thanks to those user group members and Xero partners that came along to our talk today.

We covered the two vulnerabilities released last week, the workarounds, and the patches that were released this morning.

Here are the slides: KirkJackson-PaddingOracle.pdf (641.14 KB)

All ASP.NET applications are affected. The best thing to do is install the patches released this morning.


Problem & bulletins:

Security bulletin MS10-070

Useful info on ScottGu's blog

Forum about the security vulnerability

Video of a site exploit, even with the workarounds applied

Patch:

Scott Gu's writeup of the patch

Post-mortem of the patch - Marc Brooks

How to configure the new patched features

Research:

Juliano Rizzo and Thai Duong and their POET tool

Padbuster tool (including a great writeup of Padding Oracles)

posted on Wednesday, September 29, 2010 8:25:39 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Monday, September 27, 2010
If you're in Wellington this Wednesday and you develop, maintain, manage or host ASP.NET or SharePoint websites, please do come along to hear about the security vulnerability disclosed a week ago:

http://www.dot.net.nz/Lists/Events%20Calendar/DispForm.aspx?ID=321

posted on Monday, September 27, 2010 9:08:47 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Tuesday, September 01, 2009

Visual Studio 2010 will have better support for a multi-monitor setup, but it's possible to get part of the way in 2008 already.

Toolbars and property windows (e.g. Solution Explorer, Class View) can be dragged into separate windows (2010 will add the ability to drag documents into separate windows too):

Floating windows

Window positioning gets a bit weird when you switch from one monitor to another, or change resolutions - a common occurrence when you're a laptop user docking and un-docking.

You can create two settings files, one for your single monitor layout, and one for your multi-monitor layout, and use them when starting Visual Studio 2008:

  1. Arrange your windows the way you like them
  2. Go to Tools > Import and Export Settings > Export selected environment settings
  3. You get a great tree-view of every possible setting category in Visual Studio. Click the top node to deselect everything, and scroll down and select only General Settings > Window Layouts:
    image
  4. Save your settings file somewhere handy (e.g. d:\multimon.vssettings)
  5. Repeat for each layout you like

Now you have two or more settings files, you just need to create a shortcut icon for each one somewhere in your start menu.

Edit the target, and add the parameter /resetsettings D:\multimon.vssettings to the end (replace the path with each settings file path).

image

Now when you launch your new shortcut, it will start Visual Studio 2008 with the correct window layout. Because you only exported and imported the Window Layouts, all the other settings stay the same.

You may also want to make these changes to your shortcut:

  • Add the /nosplash parameter to your Target, to avoid the "Visual Studio" splash screen and make it slightly faster to start (perception is everything!)
  • Check the Run as administrator option, which is useful if you often need to restart Visual Studio to connect to the ASP.NET worker process when developing under IIS.

image

Cheers,

Kirk

Previous VS2008 Tips:

posted on Tuesday, September 01, 2009 9:55:57 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Sunday, August 30, 2009

Code Camp is less than two weeks away!

If you want to catch some free sessions on the state-of-the-art in .NET development, SQL Server and developer security then sign up for Code Camp Auckland 2009 now.

Code Camps are non-profit, and organised by members of the local developer community. This year the Auckland Code Camp is the day before TechEd (Sunday 13 September), so we've managed to nab a few great speakers on their day off to present to us.

It's the biggest Code Camp ever - over 14 hours of sessions across 3 streams from 10am till 5pm:

Development...

  • What's Happening in .NET Languages and Why Should You Care?
  • .NET on the iPhone and Beyond
  • Behaviour Driven Development
  • Domain Specific Languages
  • C# 4.0 new features
  • Silverlight with Prism
  • Becoming Certified
  • Lightning Talks
  • and more!

The latest and greatest in development topics, by the people that know!

SQL Server?

  • SQL Server Virtualisation Best Practices and Recommendations
  • SQL Server Analysis Services and Gemini
  • Query Optimization and Query Tuning
  • Understanding SQL Server Indexing
  • SQL Server Maintenance

Training and guidance from the best SQL trainers in the industry!

Security!

  • Secure Development Lifecycle and Threat Modelling workshop
  • Secure Coding Practices

We are lucky to have Michael Howard, author of Writing Secure Code and 24 Deadly Sins of Software Security giving a free workshop for developers, architects and team leads on Threat Modelling and the Secure Development Lifecycle. This will be followed by a session on how to write secure .NET code.

Auckland has never seen such an awesome free event!

Presenters that are offering their time include Greg Low, Nicholas Dritsas and Auckland's Alex Henderson of Architecture Chat fame.

To cover the costs of the event, we have the help of our generous sponsors: Microsoft, Datacom, Intergen, INETA and Xero.

All that's left for you to do is to visit the website for more details, and sign up now!

See you there on Sunday 13 September,

Kirk

posted on Sunday, August 30, 2009 11:17:02 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Wednesday, August 19, 2009

Today at the Wellington .NET User Group, Kevin presented a talk on "Windows Mobile 6.5 Widgets".

Kevin has kindly provided his slides and samples for download:

I found this interesting. I haven't developed any applications for Windows Mobile, though I have played around a bit with the emulator and deploying code from within Visual Studio.

Widgets seem like a lot simpler application development model than native or compact framework applications. The application development model is similar to Vista sidebar gadgets, as there is a packaged zip file containing the application inside - and the application is 'simply' Javascript and HTML. Widgets can use XHR or DOM manipulation, and have access to a small amount of local storage to store preference information.

Windows Mobile 6.5 treats widgets as first-class application citizens within the OS - they have icons on the revamped start screen, and appear in the uninstall screen. As far as the user knows, they are the same as a native application.

Where the process is currently let down is in deployment and debugging. Currently a widget can only be deployed through the Windows Mobile marketplace, after the developer has signed up and the application has been reviewed (I think!). Debugging from Visual Studio seems non-existent, meaning that development is through trial and error.

I could see an enterprising person (like Kevin) building a Javascript library that simulated the API provided by the widget infrastructure, so that widgets could be developed and tested on a desktop before being deployed on a device. Kevin, am I right that all that is needed is the Widget object and some fake ActiveX controls?

All up, an interesting session.

Cheers!

Kirk

posted on Wednesday, August 19, 2009 10:51:20 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [3]

Today I went to Nelson for lunch, and presented on Caching to the Nelson .NET User Group.

The talk was a repeat of my Wellington and Auckland talk from a few months ago, and covered various places you typically cache data in a .NET app, motivating the discussion of memcached and Velocity.

It was nice to get down to Nelson to briefly soak up the sun and meet a few new people.

View my previous post on Caching for further info.

Thanks for having me Daniel!

Kirk

posted on Wednesday, August 19, 2009 10:32:39 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [1]